Case Study

Privacy by design

24th May 2019

Privacy by design

One year on from GPDR have businesses fully embraced all aspects of compliance?

It has been 12 months since the GDPR came into effect. A year since businesses and individuals were subject to a flurry of emails stating ‘Your privacy is important to us… please check the details we have for you’. But has this year signified a new dawn in data compliance, or do we still have a long way to go before compliance is a matter of routine for the region’s businesses?

“From the conversations we have had over the past year, it seems that rather than embrace a true sense of ‘privacy by design’, some businesses have simply amended elements of their practice based on limited knowledge they have been able to attain regarding GDPR,” comments Peter Manford, lead Partner in Higgs & Sons' Commercial team and a specialist in data compliance matters.

“Privacy by design is essentially the concept that a respect for personal data and the requisite privacy becomes embedded in the culture and practice of a business. We have seen that this is often more aspiration than practice when it comes to owners and managers, who are busy trying to get to grips with this new legislation whilst running a successful business.”

“GDPR is not a one size fits all.  To become GDPR compliant, different organisations in different sectors will need to take measures that are proportionate and fit their particular circumstances. The first step is to understand what GDPR actually means in terms of data held within their own organisation. Unfortunately one year on many businesses are still unaware of the full implications of the regulations.”

From Peter’s experience, the main issues facing SME owners are that they:

  • don’t know the full extent of the data they hold or why they hold it
  • don’t think GDPR gives individuals any new rights
  • don’t know the penalties for breaching GDPR (in terms of percentage global turnover)
  • aren’t equipped to deal with data subject requests quickly enough
  • are carrying out direct marketing without understanding the relevant rules.

“Businesses can’t continue to put compliance off or remain ignorant as to the implications of non-compliance,” comments Laura Pearson a member of Higgs’ Commercial team.

“Those who have engaged properly with GDPR are seeing improvements in their business not just in terms of compliance but in terms of better customer engagement as they look at what data they hold and how and why they are using that information. Customers prefer to deal with organisations they trust and having confidence in how their data is handled is both an important element of and demonstration of that trustworthiness. In other words, handling personal data in a compliant manner tends to enhance reputation, brand value which in turn should ultimately translate to profits.

“Data compliance should be seen very much as marathon not a sprint. What we mean by that is compliance cannot be a one-off tick-box exercise. Business should look at what data they hold and where it is stored and then take the appropriate steps including training staff on how it should be used. Once that has been achieved, organisations need to keep GDPR and data processing under regular review, building in ‘privacy by design’ thinking to ensure compliance processes are flexible enough to meet changing requirements within their business and externally, as well as the continuous evolution of technology.”

A year on from implementation, the ICO (Information Commissioner’s Office), the body that oversees and monitors data compliance, appears to be stepping up its investigations across all business sectors. According to one report published in February this year there had been more than 59,000 personal data breaches notified to regulators in the eight months since GDPR implementation. Breaches ranged from emails sent to the wrong recipient, to major cyberhacks affecting millions of individuals.

“For a time the ICO had staffing issues and concerns about ongoing funding.  However, these have been all but resolved now that registration fees have been introduced and staffing levels at the ICO and their resourcing is going up,” continues Peter Manford.

“High profile cases such as Cambridge Analytica and Google attract global attention – Google received the largest GDPR fine to date for breaches based on a "lack of transparency, inadequate information and lack of valid consent regarding advert personalisation”, but there are a growing number of smaller (SME) organisations being fined, and with increased resources and the general media spotlight, that is only likely to increase.

“One risk is that the ICO will focus on a particular sector because one or more organisations in it suffered a data breach or were found to be in breach of the regulations – if that happens to be your sector then expect the spotlight to shine in your direction even though you have not suffered a data breach yourself.”

Higgs’ specialists feel that as GDPR moves into its second year, enforcement will become more robust with a greater number of breaches and subsequent fines reported.

Peter Manford: “Issues such as what are ‘legitimate interests’, an increase in data protection regulations globally and of course Brexit will all have an impact. Potentially any organisation that holds or uses personal data may be hit as the ICO step up their investigations and deal with the backlog of data breach notifications.”

“Businesses need to convince people that they care about data protection – to do that they need to embrace a culture of ‘privacy by design’. We can help by educating business owners and managers on the implications of the regulations and how these can be embedded in their working practices.

“We offer a range of services from getting to grips with the basics to carrying out full data audits. Working together we can ensure a business is not only compliant with regard to the regulations but also better placed to offer their customers a better level of service based on a greater understanding of their needs. In this day and age data is an essential business tool, but one year on it is important that companies do not ignore GDPR and risk turning this essential asset into a business liability. Rather they should grasp the nettle, work to become compliant and in doing so embrace the opportunity for reputational and resultant business enhancement that that compliance offers.”

 

 

 

Other news

Contact us

3 Waterfront Business Park
Brierley Hill
West Midlands, DY5 1LX

Email: law@higgsandsons.co.uk
Call Us: 0345 111 5050

Follow @HiggsandSons on Twitter  Join Higgs & Sons on Facebook  Join Higgs & Sons on LinkedIn

Newsletter

Keep up to date with all the latest here.